Robin’s Newsletter #86

9 February 2020. Volume 3, Issue 6
Simon Weckert's Google Maps art installation; IKEA's data promise; and valentine's security awareness.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Man creates traffic jam on Google Maps using a cart full of mobile phones

Pablo Picasso is credited with saying “art is a lie that makes us see the truth,” and artist Simon Weckert brought to life our reliance on algorithms with a great art installation this week.

“[He] walked the streets of Berlin tugging a red wagon behind him. Wherever he went, Google Maps showed a congested traffic jam. People using Google Maps would see a thick red line indicating congestion on the road, even when there was no traffic at all.”

The story itself is gleefully simple, going by my LinkedIn post, capturing not just my, but plenty of other’s imaginations too.

It’s a great example of the importance we place on the integrity of data - rather than confidentiality aspects seen in data breaches and availability from ransomware incidents.

It also highlights the unquestioning reliance we place in systems every day, each component of which is worked on by a minuscule team compared to their global user base. I’d hazard a guess that the team behind Google Maps’ routing engine is no more than two-digits. Over 1 billion people use Google Maps each month.

The Glass Cage is a great read if you want to delve deeper into the world of algorithms, automation and AI. In it, author Nicholas Carr takes a look examples of automation bias and automation complacency. “As computer systems and software applications come to play an ever larger role in shaping our lives and the world, we have an obligation to be more, not less, involved in decisions about their design and use.”

To that end, Hemant Taneja’s blog post in Harvard Business Review is well worth a read too: ‘The era of “Move Fast and Break Things” is over… “minimum viable products” must be replaced by “minimum virtuous products.”’

There are plenty of interesting new fields of study emerging around data ethics, privacy and artificial intelligence, like ‘how do you teach an AI to forget?’ (vol. 2, iss. 24.) In a time when ‘software is eating the world,’ there perhaps a lot more we can all learn by spending time looking at the lies told to us by artists. Thank you, Simon, for walking around Berlin with your cart full of mobile phones!, The Glass Cage (, Minimum virtuous products (

Interesting stats

10.9% of IT budget is spent on cyber security programmes, according to Accenture. Plenty more, involved, stats in their State of Cybersecurity Report 2019

48% of Chief Information Security Officer’s admit that job-stress has affected their mental health, 23% said they are relying on medication or alcohol as a coping mechanism, according to Nominet.

If you need help managing work-related stress, check out UK-charity Mind’s info.

Also in the Nominet survey, 97% of C-Suite executives said that the security team could improve on delivering value for amount of budget they receive

4x increase in the number of objections when penetration test tactics used against themselves

36% of UK SMBs rely on senior management to make the call of what, and when, to patch software, according to Sophos

1,000+ cases of technology theft ‘by China’ being investigated by FBI

Other newsy bits

IKEA’s ‘Data Promise’

Hat tip to @JessicaLennard and @ProjectsByIF for sharing a really interesting video with Barbara Martin Coppola, IKEA’s Chief Digital Officer, about how they are redesigning the way that IKEA use their customer’s data, putting visual explanations and controls in context to help user’s better understand and make informed decisions. Neat!

Iowa’s Democratic caucus was a tech disaster

A new app was commissioned to capture and report results from the districts voting on Democratic presidential nominees. While it wasn’t hacked, its security posture wasn’t great (see Vice Motherboard), and is a catalogue of examples of how not to do things - be it from user-centred design, security, or continuity plans. User needs were poorly understood and training was minimal, aspects of the app were kept a close secret ‘to keep it safe from cyber-attack’ (security through obscurity is a fallacy), and then the business continuity plans were disrupted because Trump supporters flooded phone lines with spam phone calls. (They’d also reduced the number of support lines because ‘the app will streamline things.’),

Twitter’s API abused to match 17 million phone numbers and accounts

Actors with ties to nation state groups used lax practices on Twitter’s Application Programming Interface (API) to match 17 million phone numbers to Twitter accounts. The information is useful when trying to, for example, match protestors in the digital realm with their real life identities. Saudi Arabia was caught buying details of 6,000 from two Twitter employees for $30,000 last year (vol. 2, iss. 45.) As organisations open up their services to be accessed programmatically this sort of API abuse will increase. Facebook, for example, discovered lots of API mis-use following the Cambridge Analytica scandal. APIs provide much of the ‘glue’ that provide for seamless experiences. Keep an eye on their use, what data can be accessed via them, and where that access is from are crucial ‘non-functional’ aspects that need to be considered.

Using monitor brightness to exfiltrate data from air-gapped networks

Some interesting research from Israel’s Ben-Gurion university where researchers have demonstrated the ability to exfiltrate data by making subtle manipulations to the brightness of computer screens. The team have priors, with plenty of example of other techniques for avoiding detection. Whilst the rate, and distance, at which data is transmitted is low, that could be sufficient for some clandestine operations.

In brief

Attacks, incidents & breaches

  • Google Takeout a bit too true to its name after potentially 1000s of private videos shared with complete strangers
  • Facebook’s accounts on Twitter and Instagram were hacked [via third-party social media management platform]
  • Microsoft Teams suffers outage due to expired certificate, company says
  • Deliveries stranded across Australia as Toll confirms ransomware attack

Threat intel

  • 5 new vulnerabilities [in Cisco products] expose the ‘backbone’ of an enterprise network to data theft
  • ‘EKANS’ Ransomware appears to be work of cybercriminals, targets Industrial Control Systems
  • This crafty malware makes you retype your passwords so it can steal them
  • BEC Scammers’ Interest in the Real Estate Sector Rises

Security engineering

Internet of Things

  • This is not Huawei to reassure people about Beijing’s spying eyes: Trivial backdoor found in HiSilicon’s firmware for net-connected cams, recorders
  • Bug in Philips Smart Light Allows Hopping to Devices on the Network


  • Out of Control: How consumers are exploited by the adtech industry - and what we are doing to make it stop
  • US agencies using phone location data for immigration enforcement, report says

Mergers, acquisitions and investments

  • HPE acquires cloud native security startup Scytale
  • Forescout goes for $1.9 billion in private-equity acquisition
  • Netskope raises another $340 million from venture capital crowd

And finally

Be my valentine

Some might fine punnery from @TashJNorris this week delivering some valentine-themed security awareness one-liners. Have you received any phishing emails recently? Because you are quite a catch. @TashJNorris


Chip in to buy with me?


  Robin's Newsletter - Volume 3

  Simon Weckert The Glass Cage Minimum virtuous product IKEA Automation Integrity algorithm integrity Security Spend Data Protection Consumer Trust Twitter Air Gap